POPIA compliance for a small business comes down to seven concrete steps: appoint and register your Information Officer, publish a privacy policy, compile a PAIA manual, put consent records in place, set up a process for data subject requests, prepare a breach response plan, and sign written agreements with the operators who process data for you. None of it needs a law degree. This checklist walks through each step - what the law actually asks of you, and how to get it done - roughly in the order we recommend tackling them.
New to the Act itself? Start with our complete guide to POPIA, then come back here for the to-do list.
1. Appoint and Register Your Information Officer
Under section 55 of POPIA, every business has an Information Officer whether it appoints one or not: by default it is the head of the business - the owner, CEO, or senior partner. You cannot opt out of the role, but you can delegate the day-to-day work to a deputy. The accountability stays with the head.
Two things most owners miss:
- The Information Officer must be registered with the Information Regulator before performing their duties. Registration is done on the Regulator's eServices portal and is free.
- The appointment should be recorded in writing, so the role, its duties, and any delegation are documented.
Read the full walkthrough in our guide to appointing an Information Officer under section 55. POPIAdesk generates the Information Officer Appointment letter for you.
2. Publish a Privacy Policy
POPIA's openness condition requires you to tell people what you do with their information. In practice that means a privacy policy that states: what personal information you collect, why you collect it, who you share it with, whether it leaves South Africa, how long you keep it, how you secure it, how a person can access or correct what you hold, and your Information Officer's contact details.
A generic template copied from an overseas website usually fails this test - most are written for the GDPR, not POPIA. POPIAdesk's Privacy Policy generator walks you through each required element and produces a policy tailored to your business.
3. Compile Your PAIA Manual
This is the document most small-business owners have never heard of, and the one with the most common misconception attached. Until the end of 2021, most small private bodies were exempt from compiling a PAIA manual. That exemption lapsed on 31 December 2021 and was not renewed: since 1 January 2022, every private body - including sole proprietors and small companies - must have a manual under section 51 of PAIA.
The manual describes what records your business holds and how someone can request access to them. It must be available at your principal place of business, and on your website if you have one. POPIAdesk generates a PAIA manual aligned with the current section 51 requirements.
4. Get Your Consent Records in Order
Not all processing needs consent - POPIA recognises other lawful bases, such as performing a contract or complying with the law. But where you do rely on consent, you must be able to prove you have it. Memory is not a record.
Direct marketing has its own stricter rules under section 69: marketing to someone who is not an existing customer by email, SMS, or automated call requires their consent first, and you may only ask for that consent once. Existing customers may be marketed to only if you obtained their details in the course of a sale, you are marketing similar products, and every message offers an opt-out.
Note that the POPIA regulations were amended in April 2025 and the prescribed forms were updated, including the form used to request direct-marketing consent - so consent paperwork from 2021 is likely out of date. POPIAdesk generates both a general Consent Form and the Marketing Consent form, aligned with the current regulations.
5. Set Up a Data Subject Request Process
People have the right to ask what personal information you hold about them, and to have it corrected or deleted. These data subject requests (DSRs) must be answered within 30 days, and you should verify the requester's identity before disclosing anything.
For a small business the requirement is simple: a known way for people to submit a request, and a record showing each request was handled on time. POPIAdesk provides a public request form for your business plus deadline tracking, so nothing slips past the 30-day mark.
6. Prepare a Breach Response Plan
Section 22 of POPIA requires you to notify the Information Regulator, and in most cases the affected people, as soon as reasonably possible after personal information is compromised. A breach is the worst possible moment to be reading section 22 for the first time.
Decide now who does what when data leaks, and have the notification letter ready to fill in rather than write from scratch. Document every step you take with a timestamp - a breach response you cannot prove afterwards might as well not have happened. POPIAdesk generates the Breach Notification letter pre-filled with your details.
7. Put Operator Agreements in Place
An operator is anyone who processes personal information on your behalf: your payroll provider, hosting company, bookkeeper, or marketing agency. POPIA requires a written contract obliging the operator to keep the information confidential and to maintain proper security safeguards.
List every third party that touches your customer or staff data, and make sure each one has signed an agreement. POPIAdesk's Data Processing Agreement generator produces one you can send to each operator.
Rounding It Out
Three more documents complete the set for most small businesses, and POPIAdesk generates all of them: an Employee Privacy Notice (POPIA covers staff data too - payroll counts), a Cookie Policy if your website uses cookies or trackers, and a Retention Schedule recording how long you keep each category of information and why. Retention is a genuine POPIA requirement - you may not keep personal information longer than you need it, while other laws set minimum periods you must respect.
Frequently Asked Questions
Does POPIA apply to my small business?
Almost certainly yes. POPIA applies to any business that processes personal information - customer names and contact details, staff records, supplier contacts. There is no small-business exemption from the Act itself.
Does a small business really need a PAIA manual?
Yes. The exemption that covered most small private bodies ended on 31 December 2021. Since 1 January 2022 every private body must have one, regardless of size.
What happens if I do nothing?
The Information Regulator can issue enforcement notices and fines, and data subjects can bring civil claims. The more immediate cost is usually commercial: larger customers, tenders, and insurers increasingly ask for proof of POPIA compliance before doing business.
Where to Start
Work the list top to bottom - the Information Officer registration and the privacy policy are the highest-visibility items, and the PAIA manual is the one most often missing entirely. If you want to know exactly where you stand first, take the free POPIA assessment and check your compliance score free - it takes about five minutes and covers each area in this checklist.
This is general information, not legal advice. For your specific situation, consult an attorney.